Tracking report was wrong, says Facebook …but there is a bug that needs fixing

Belgian tracking report was wrong, says Facebook

Facebook at ad:tech London, 2010, Creative CommonsAt the beginning of this month Facebook had hit back at a report commissioned by the Belgian Privacy Commission that suggested the social network tracked far more users than previously thought.

Since then, the company has published a blog post that lays out its peeves in far more detail – while admitting that engineers are working to fix a “bug” that may have inadvertently set cookies for some users when they weren’t on Facebook.

Richard Allan, Vice President of Policy, Europe, suggests that many of the report’s claims are erroneous, saying:

The report gets it wrong multiple times in asserting how Facebook uses information to provide our service to more than a billion people around the world.

Allan goes on to offer up a list of clarifications and corrections to what he says are the most serious errors in the report.

In response to claims that Facebook is using cookies to track users across the entire internet, he fails to rebut the claim itself, focusing instead on the fact that the company uses them to personalise a user’s experience, help them when they wished to stay logged in and to deliver “interesting” adverts.

This, he says, is common practice across the web and the majority of publishers use cookies for the exact same purposes.

On the topic of web advertising, Allan countered the claim that Facebook is ignoring its users’ choice to opt out of behavioural ads when visiting other websites and non-Facebook apps. He said the company does indeed stop using such information when an opt-out is confirmed via:

The industry-standard Digital Advertising Alliance opt out, the European Interactive Digital Advertising Alliance opt out or the Digital Advertising Alliance of Canada opt out.

He did, however, confirm that Facebook continues to receive “web impressions” when people visit other sites featuring the company’s social plugins and other “integrations”. This, apparently, is not the same thing that the authors of the Belgian report call “tracking”.

On the more tetchy subject of Facebook using Social Plugins to place a cookie – called ‘datr’ – into the browsers of non-Facebook users, allowing the company to track them for up to two years, Allan denied that was the case and said it was not the social network’s intention.

He did, however, concede that the researchers may have found a bug that allowed a cookie to be set in “a few instances”.

This, Allan says, is a situation the company is already addressing. He does not mention whether Facebook will be issuing a bug bounty to the researchers from the universities in Leuven and Brussels in lieu of their discovery.

To counter the claim that Facebook is in some way deceptive about how its advertising works, Allan reiterated that the company was quite clear on the subject and had been audited by the Irish Data Protection Commissioner:

We want people to understand how ads work on Facebook and we offer many resources to help them do so. For example, with ad preferences, you can click "Why did I see this ad?" from every ad on Facebook. People can see and control the actual interests that we use to deliver ads on Facebook. Our About Advertising on Facebook Page provides even more information.

Another area of Facebook policy that has attracted attention is its 2015 Data Policy which, the researchers said, allowed the company to expand the sharing of data between its various companies.

Allan noted how the company’s new data policy had not in fact changed anything in that regard – it merely added more detail by listing each of the companies that Facebook was already sharing data with.

In response to the report’s claim that Facebook does not provide granular control over the sharing of location data, instead offering an “all-or-nothing” approach, Allan said the user remained very much in control and that the company does not retain location data unless permission has been given:

The full list of rebuttals, which Facebook notes is non-exhaustive, may do little to pacify privacy campaigners who continue to take issue with the company’s approach to user data.

Just yesterday, for instance, Max Schrems and his Europe v Facebook group filed a class action lawsuit in a Vienna court, accusing Facebook of breaching EU privacy law, mass surveillance and involvement in the NSA’s snooping program.

And, earlier this week, we brought you the news that the company was also being hit with a class action lawsuit in Illinois – over claims that its vast database of facial recognition data violated privacy laws.

Facebook at ad:tech London 2010, by Derzsi Elekes Andor (Own work) [CC BY-SA 3.0], via Wikimedia Commons